0

I have a web application (PHP) which i need to leave in a customer premise. They have no internet and are not willing to use internet to use my app.

So i have to leave a linux server at their place. But i'm worried about someone accessing my server and getting my PHP code. In addition to encrypting PHP (Ion encoder, Zend Guard) and LUKS disk encryption i don't know what else i can do to prevent my machine.

I know, Microsoft said long time ago that as far as someone has physical access to a machine it should be considered breakable so my app/server will be in "hostile territory" but i have no choice. But i can do as much as i can to prevent it. I'm considering disabling TTY's and enabling login via SSH with keys so only i can access it remotely (which means when i get there with my laptop).

Which one would be better ? having my whole setup in a server or inside a vm inside a server ? because the disk will be encrypted i don't care too much about someone copying my disk (i can't doo too much either). But then, how can i prevent someone changing the root password from grub ?

Also, even if i password protect the BIOS, won't it unlock when the board be flashed ?

Mr X Colombia
  • 1
  • 1
  • Most companies rely more on copyright, law and contracts to protect their interests beyond what can be achieved with reasonable technical means. – HBruijn Apr 27 '18 at 00:59
  • Yes but that's unfeasible in my case. My clients are local governments and corruption is "normal" all around so it wouldn't be unlikely that my server be analyzed by a rival that has friend in the mayor's office. – Mr X Colombia Apr 27 '18 at 01:09

1 Answers1

0

Yes, if they're able to take the box apart and pull the BIOS battery, they can unlock the BIOS. I'm also not sure that putting your app on a VM would provide what you're looking for.

You probably want to store it in a colo cage. Something like this:

https://farm2.staticflickr.com/1137/865711871_d8f8ae9b1a_z.jpg?zz=1 (photo credit)

If they can't physically lay hands on it, they can't tear open the case, access grub, etc. This is the industry standard for this sort of thing.

There's an associated cost, and you might need to consider at what point you're spending more than protecting your code is worth. (I can't answer that; only you know the monetary value of your code.)

Katherine Villyard
  • 18,510
  • 4
  • 36
  • 59
  • I've read the hard drive encryption is useless as after editing grub, LUKS can be used to decrypt a system. Then, what for encryption is used if anyone can break it ?? – Mr X Colombia Apr 27 '18 at 01:28